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Data Protection API 



• Introduced in Windows 2000 

• Aim to be an easy way for application to store 
safely data on disk 

• Tie encryption key to user password and the 
account SID 
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Developer point of view 




Application 



DPAPI 
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DPAPI is a simple API* 



* http://msdn.microsoft.com/en-us/library/ms995355.aspx 
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Why digging deeper ? 



• Offline forensic 

• EFS on Linux 

• Security / cool things ? 
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Previous work 



• Multiples attempts to analyze DPAPI 

• Some incomplete (Wine) 

• Some close source (Nir Sofer - NirSoft) 
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Take away 



• Decrypt offline sensitive data 

• Recover user previous passwords (Yes all of them) 

• Do a key escrow attack 
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Outline 
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DPAPI overview 
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Outline 



• DPAPI overview 

• Decryption process 

• Security design implications 
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Outline 



• DPAPI overview 

• Decryption process 

• Security design implications 

• DPAPIckdemo 
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Crypto 911 HMAC 



• HMAC (Message authentication code) 

• Usually used to detect data tampering 

• Used here to derive encrypt key and IV 
ipad = 0x36 xor key 

opad = 0x5 c xor key 

HMAC= (opad . SHAI (ipad.data)) 
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Crypto 911: PBKDF2 



• PBKDF2 = Password based key derivation function 

• Basically it is a hash function (SHAI for us) applied 
n times to slow down the computation. 

• Used to defend against brute-force 

• Salt is used against rainbow tables attacks. 
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Crypto 911 : 3DES 



• 3DES .Triple DES encryption 

• Encrypt, Decrypt, Encrypt 

• Exist in two flavor : 2 keys or 3 keys (64 bits 
each) 

• Windows use the strong version with 3 keys 
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How the system interacts with DPAPI 
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How the system interacts with DPAPI 
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How the system interacts with DPAPI 




Local Security 
Authority 

cryptoAPI 
crypt32.dll 
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How the system interacts with DPAPI 
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How the system interacts with DPAPI 




Local Security 
Authority 

cryptoAPI 
crypt32.dll 
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How the system interacts with DPAPI 




Local Security 
Authority 

cryptoAPI 
crypt32.dll 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 
*pDataln, 
*ppszDataDescr, 
*pOptionalEntropy, 
pvReserved, 
*pPromptStruct, 
dwFlags, 
*pDataOut 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 

*pDatain, < Encr/pted data aka data blob 

*ppszDataDescr, 

*pOptionalEntropy, 

pvReserved, 

*pPromptStruct, 

dwFlags, 

*pDataOut 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 
*pDataln, 

*ppszDataDescr, < Optional description 

*pOptionalEntropy, 

pvReserved, 

*pPromptStruct, 

dwFlags, 

*pDataOut 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 
*pDataln, 
*ppszDataDescr, 

*pOptionaiEntropy < Optional entrop/ (salt) 

pvReserved, 
*pPromptStruct, 
dwFlags, 
*pDataOut 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 
*pDataln, 
*ppszDataDescr, 
*pOptionalEntropy, 
pvReserved, 

*pPromptStruct, ^ Optional password 

dwFlags, 
*pDataOut 
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DPAPI CryptUnprotecData Function 



BOOL Wl MAPI CryptUnprotectData ( 
*pDataln, 
*ppszDataDescr, 
*pOptionalEntropy, 
pvReserved, 
*pPromptStruct, 
dwFlags, 

*pDataOut < Decrypted data 
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Derivation scheme 




User 
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Derivation scheme 




SHA I (password) 




User 
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Derivation scheme 




SHA I (password) 




User 



Master Key 
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Derivation scheme 




SHA I (password) 




User 
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Derivation scheme 




SHA I (password) 




User 
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Blob structure 



• Returned to the application (opaque structure) 

• Store user encrypted data 

• Contains decryption parameters 
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key subtleties 



• SHAI password are in UTF-I6LE 

• SID for HMAC are also in UTF- 1 6LE (don't forget 
the \0 !) 

• Windows 2000 do not use SHAI/3DES. We think 
it uses SHAI/RC4 (An/one want to try ?). 
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data blob structure key fields 



DWORD 


cbProviders; 


GUID 


*arrProviders; 


DWORD 


cbKeys; 


GUID 


*arrKeys; 


WCHAR 


*ppszDataDescr; 


DWORD 


idCipherAlgo; 


BYTE 


*pbSalt; 


DWORD 


idHashAlgo; 


BYTE 


*pbUnknown; 


BYTE 


*pbCipher; 


BYTE 


*pbHMAC; 
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data blob structure key fields 



DWORD 


cbProviders; 


GUID 


*arrProviders; 


DWORD 


cbKeys; 


GUID 


*arrKeys; 


WCHAR 


*ppszDataDescr; 


DWORD 


idCipherAlgo; 


BYTE 


*pbSalt; 


DWORD 


idHashAlgo; 


BYTE 


*pbUnknown; 


BYTE 


*pbCipher; 


BYTE 


*pbHMAC; 



Nb of crypto providers 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; < CrvptO OrOViderS GUID 

DWORD cbKeys; 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; < Nb of iTiasters ke/s 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; < MaSterS ke/S GUID 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; 

wcHAR *ppszDataDescr; < Optional description 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 
GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAigo; < Encr/ption algorithm ID 

BYTE *pbSalt; 
DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbsait; < Salt generated by DPAPI 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAigo; Hash algorithm ID 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; ^ Unknown data 

BYTE *pbCipher; 

BYTE *pbHMAC; 
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data blob structure key fields 



DWORD 


cbProviders; 


GUID 


*arrProviders; 


DWORD 


cbKeys; 


GUID 


*arrKeys; 


WCHAR 


*ppszDataDescr; 


DWORD 


idCipherAlgo; 


BYTE 


*pbSalt; 


DWORD 


idHashAlgo; 


BYTE 


*pbUnknown; 


BYTE 


*pbCipher; 


BYTE 


*pbHMAC; 



Encrypted data 
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data blob structure key fields 



DWORD cbProviders; 

GUID *arr Providers; 

DWORD cbKeys; 

GUID *arrKeys; 

WCHAR *ppszDataDescr; 

DWORD idCipherAlgo; 

BYTE *pbSalt; 

DWORD idHashAlgo; 

BYTE *pbUnknown; 

BYTE *pbCipher; 

BYTE *pbHMAC; < Blob HMAC 
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Master key structure 



• Store the key used to decrypt blob 

• Encrypted with the user password 

• Renewed every 3 months 
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The master key file 



Header 
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The master key file 



Header 



Keys infos 
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The master key file 



Header 



Keys infos 



Master key 
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The master key file 



Header 



Keys infos 



Master key 



Key ? 
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The master key file 



Header 



Keys infos 



Master key 



Key ? 



Footer 
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Header structure 



Header 


aw version, 


Keys infos 


nullPadI; 
szKeyGUID[36]; 


Master key 


Key ? 


Footer 


nullPadl; 
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Header structure 



Header 


aw version, 


Keys infos 


nullPadI; 
szKeyGUID[36]; 


Master key 


Key ? 


Footer 


nullPadl; 
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File version 
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Header structure 



Header 


aw version, 


Keys infos 


nullPadI; 
szKeyGUID[36]; 


Master key 


Key ? 


Footer 


nullPadl; 
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Key infos structure 





dwUnknown; 


neaaer 


Keys infos 


cbMasterKey; 


Master key 


cb Mystery Key; 


Key ? 


dwHMACLen; 


Footer 




nullPadB; 
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Key infos structure 





dwUnknown; 


neaaer 


Keys infos 


cbMasterKey; 


Master key 


cb Mystery Key; 


Key ? 


dwHMACLen; 


Footer 




nullPadB; 
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Key infos structure 





dwUnknown; 


neaaer 


Keys infos 


cbMasterKey; 


Master key 


cb Mystery Key; 


Key ? 


dwHMACLen; 


Footer 




nullPadB; 
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Key infos structure 





dwUnknown; 


neaaer 


Keys infos 


cbMasterKey; 


Master key 


cb Mystery Key; 


Key ? 


dwHMACLen; 


Footer 




nullPadB; 
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Master key structure 





dwMagic; 


Header 


pbSalt[l6]; 
cblteration; 


Keys infos 




Master key 






idMACAIgo; 


Key ? 


Footer 


idCipherAlgo; 




pbCipheredKey[]; 
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Master key structure 



dwMagic; 



Header 



Keys infos 
Master key 



Key ? 



Footer 



pbSalt[l6]; 
cblteration; 
idMACAIgo; 
idCipherAlgo; 



Key salt 



pbCipheredKey[]; 
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Master key structure 



Header 



Keys infos 



Master key 



Key ? 



Footer 



dwMagic; 

pbSalt[l6]; 

cblteration; 

idMACAIgo; 

idCipherAlgo; 

pbCipheredKey[]; 



PBKDF2 nb rounds 
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Master key structure 



Header 



Keys infos 



Master key 



Key ? 



Footer 



dwMagic; 

pbSalt[l6]; 

cblteration; 

idMACAIgo; 

idCipherAlgo; 

pbCipheredKey 



Jean-Michel Picod, Elie Bursztein 



Wednesday, Februarys, 2010 



HMAC algorithm ID 



Master key structun 



Header 



Keys infos 



Master key 



Key ? 



Footer 



dwMagic; 
pbSalt[l6]; 
cblteration; 
idMACAIgo; 
idCipherAlgo; 
pbCipheredKe; 
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Encryption Algo id 



Master key structure 



Header 



Keys infos 



Master key 



Key ? 



Footer 



dwMagic; 

pbSalt[l6]; 

cblteration; 

idMACAIgo; 

idCipherAlgo; 

pbCipheredKey 
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Encrypted key 



Decrypting the Master key 



DPAPIDecryptKey(sha I , encKey) { 

tmp-key = HMAC(shal, SID) 

pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, 
nblteration) 

BdesKey = pre-key[0 - 23] 
3deslV= [24- 31] 

(hmac[0-35], DWORD[36-39], master-key 
[40-104]) = 3des-cbc(3desKey, iv, encKey) 

} 
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key structure 



Header 



Keys infos 



Master key 



Key ? 



Footer 



• Seems to have the same structure than 
the master key 

• One round of derivation (XP not Seven) 

• 256 bits (half size of the real master-key) 
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Possible explanation 








1 1 U 1 




mode for windows 2000 exist. 


Kpv<^ infn<^ 




1 ne registry Key to trigger iz is un Known 


Master kev 


• 


If we are correct and W2I< uses RC4 


Key ? 




tiicn tile mysxery Key id pooSiDiy a i\v^t 


Footer 




l<ey (256bits is the correct size). 




• 


PBKDF2 used to compute the IV ?? 
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Possible explanation continued 



Header 




Keys infos 


• We know that RC4 have a weak key 


Master key 


scheduling algorithm (remember WEP ?) 


Key ? 


• Might be a potential weakness (or not) 


Footer 
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Header structure 



Header 



Keys infos 



Master key 



Key ? 



Footer 



dwMagic; 
credHist[l6] 
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Header structure 





Header 




Keys infos 




Master key 




Key ? 




Footer 



dwMagic; 

credHist[ 1 6]; < Password GUID 
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Differences between windows version 





XP 


Vista 


Seven 


PBKDF2 
rounds 


4000 


24000 


Variable 
(factor ?) 


Symmetric 
algorithm 


3DES 


3DES 


AES 


Hash 
algorithm 


SHAI 


SHAI 


SHA5 1 2 
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Decrypting a blob 



Data blob 
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Decrypting a blob 




Data blob 



Master key GUID 



Master key file 
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Decrypting a blob 




Data blob 



Master key GUID 



Master key file 



Salt, Nb iterations 
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Decrypting a bio 




Data blob 



Master key GUID 
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Master key file 



Salt, Nb iterations 



Pre key 



SH A I (password) 



User SID 
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Decrypting a bio 




Data blob 



Master key GUID 
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Master key file 



Salt, Nb iterations 



Pre key 



SH A I (password) 



User SID 



Master key 
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Decrypting a blob 




Data blob 



Master key GUID 



Cipher + Key 



Master key file 



Salt, Nb iterations 




SH A I (password) 



User SID 



Master key 
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Decrypting a blob 




Data blob 



Master key GUID 



Cipher + Key 



Master key file 



Salt, Nb iterations 




Pre key 






Master key 


> 




Blob key 



SH A I (password) 



User SID 
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Decrypting a blob 
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Decrypting a blob 




Data blob 



Master key GUID 



Cipher + Key 



Master key file 




Salt, Nb iterations 



Pre key 






Master key 


> 




Blob key 



SH A I (password) 



User SID 
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Decrypting a blob 




Wednesday, Februarys, 2010 



Decrypt blob aka the strange HMAC 



DecryptBlobQ { 
kt = SHA I (masterkey) 
opad = Ox5c xor kt 
ipad = 0x36 xor kt 

i = SHAI (opad.SHAI (ipad . salt).entropyCond) 

kd = Cr/ptDeriveKey(i) //not reversed (yet) 
CryptDecrypt(data, kd) 

} 
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Did I miss something ? 
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Did I miss something ? 



• How the OS knows the current master key ? 
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Did I miss something ? 



How the OS knows the current master key ? 
How the OS decides to renew the master key ? 
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Did I miss something ? 



• How the OS knows the current master key ? 

• How the OS decides to renew the master key ? 

• What happen when the user changes his 
password ? 
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Key renewal process 



• Renewed every 3 months automatically 

• Passive process: executed when CryptProtect 
called 

• Hardcoded limit (location unknown) 

• Possibly in psbase.dll (MS crypto provider) 

• Can be reduced by using registry override 



Jean-Michel Picod, Elie Bursztein 



Wednesday, Februarys, 2010 



http://www.dpapick.com 



33 



Master key selection 



• All master keys are kept because Windows can*t 
tell if a key is still used 

• Keys are stored in %APPDATA%/Microsoft/Protect/[siD] 

• Current master key is specified in the Preferred 
file 



Jean-Michel Picod, Elie Bursztein 



Wednesday, Februarys, 2010 



http://www.dpapick.com 



34 



The Preferred file 



• Simply contains : 

"GUID master key" . "timestamp'' 

• The key is renewed when 

current time > timestamp 
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The Preferred file 



• Simply contains : 

"GUID master key" . "timestamp'' 

• The key is renewed when 

current time > timestamp 



Key escrow attack : Plant a key and update the 
Preferred file every 3 months (e.g using the task 
scheduler) 
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User password renewal 



• Master keys are re-encrypted when the password 
change 

• Experimentally not all of them, just the last few 
ones 
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Decrypting a blob 




Data blob 



Master key GUID 



Master key file 



\ 



\ 



\ 



Pre key 


> 




Master key 


> 




Blob key 
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Decrypting a blob 




Data blob 



Master key GUID 



\ 



\ 



Master key file 



\ 



Pre key 



t 



Master key 



Blob key 
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CREDHIST overview 



SHA I (password) 
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CREDHIST overviev 



Structure 
pass n-1 
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SHA I (password) 



CREDHIST overview 



Structure 
pass n-2 



Decrypt 



Structure 
pass n-1 



Decrypt 



SHA I (password) 
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CREDHIST overview 



Structure 
pass n- 3 



Decrypt 



Structure 
pass n-2 



Decrypt 



Structure 
pass n-1 



Decrypt 



SHA I (password) 
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CREDHIST overview 



Structure 
pass 1 



Structure 
pass 2 



Structure 
pass n- 3 



Structure 
pass n-2 



Structure 
pass n-1 



Decrypt 



Decrypt 



Decrypt 



Decrypt 



SHA I (password) 
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CREDHIST entry structure main fields 



IdHashAlgo; 
dwRounds; 
dwCipherAlgo; 
bSID[l2]; 

dwComputerSID[3]; 
dwAccountID; 
bData[28]; 
bPasswordlD[l6] 
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CREDHIST entry structure main fields 



idHashAlgo; < Hash algO ID 

dwRounds; 

dwCipherAlgo; 

bSID[l2]; 

dwComputerSID[3]; 
dwAccountID; 
bData[28]; 
bPasswordlD[l6] 
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CREDHIST entry structure main fields 



IdHashAlgo; 

dwRounds; < Nb rounds 

dwCipherAlgo; 
bSID[l2]; 

dwComputerSID[3]; 
dwAccountID; 
bData[28]; 
bPasswordlD[l6] 
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CREDHIST entry structure main fields 



idHashAlgo; 
dwRounds; 

dwCipherAigo; Encryption Algorithm ID 

bSID[l2]; 

dwComputerSID[3]; 
dwAccountID; 
bData[28]; 
bPasswordlD[l6] 
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CREDHIST entry structure main fields 



IdHashAlgo; 

dwRounds; 

dwCipherAlgo; 

bSID[l2]; ^ jjgg^ U5IQ 

dwComputerSID[3]; 
dwAccountID; 
bData[28]; 
bPasswordlD[l6] 
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CREDHIST entry structure main fields 



IdHashAlgo; 
dwRounds; 
dwCipherAlgo; 
bSID[l2]; 

dwComputerSiD[3]; ^ Computer SID 

dwAccountID; 

bData[28]; 

bPasswordlD[l6] 
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CREDHIST entry structure main fields 



IdHashAlgo; 
dwRounds; 
dwCipherAlgo; 
bSID[l2]; 

dwComputerSID[3]; 

dwAccountID; 

bData[28]; 



bPasswordlD[l6] 



Account ID 
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CREDHIST entry structure main fields 



IdHashAlgo; 
dwRounds; 
dwCipherAlgo; 
bSID[l2]; 

dwComputerSID[3]; 
dwAccountID; 

bData[28]; ^ Encr/pted password SHAI 

bPasswordlD[l6] 



Jean-Michel Picod, Elie Bursztein 



Wednesday, Februarys, 2010 



http://www.dpapick.com 



39 



CREDHIST entry structure main fields 



IdHashAlgo; 
dwRounds; 
dwCipherAlgo; 
bSID[l2]; 

dwComputerSID[3]; 

dwAccountID; 

bData[28]; 

bPasswordiD[i6] < Password GUID 
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Decryption algorithm overview 



Dec ry ptC red h ist{ 

SID = (USID-ComputerlD-AccountID) 

tmp-key = HMAC(shal, SID) 

pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, 
nblteration) 

BdesKey = pre-key[0 - 23] 
3deslV= [24- 31] 

(SHAI[0-l9],HMAC[20-39]) = 3des-cbc 
(3desKey, iv, encKey) 
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DPAPIck demo 




Warning 



• DPAPIck is in ALPHA stage. Use it at your own 
risk ! You have been warned. It is just a POC 

• Know bugs : 

• No HMAC checks -> No key check. 

• No Seven support, tested only on XP 

• No conditional entropy / strong password in Ul 

• Don't choose the correct master key by itself 

• Buffer overflows :) 
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DPAPIck future 



• We made the choice to release early so you know 
we are telling the truth and everyone can start 
playing. 

• We will provide a more robust version and 
eventually open the source code so one day Linux 
will read EFS files :) 

• It just too soon for this. 
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LSA 



• LSASS secret contains a DPAPI_SYSTEM value 

• Length == 2 * SHA I 

• Usage are unknown 

• We think that I of them is used as a SYSTEM 
account "password" 

• Need to be confirmed 
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EFS 



• Certificate private key is encrypted with DPAPI 

• Key are stored in 

• To read EFS file offline, we just need to import the 
user certificate and its private keys in our key 
store. 

• Work in progress in DPAPIck 
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What is next 



• Can we build a rogue crypto provider ? 

• What are the two SHAI stored in the LSA ? 

• Where is stored the renewal hard lime ? 

• CryptDeriveKey needed to be reversed to have a 
fully portable implementation (Everything else is 
already portable) 
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Conclusion 



• Open the door to offline forensic 

• First step toward EFS on alternative systems 

• CREDHIST allows to recover previous passwords 

• DPAPIck : http://dpapick.conn 

• Some things remain unl<nown 
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Questions ? 



Thanks to the nightingale team 
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